Skip to content

Add local entity expansion limit methods #202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 26, 2024
Merged

Add local entity expansion limit methods #202

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c42e848
add #entity_expansion_limit=, #entity_expansion_text_limit=
naitoh Aug 17, 2024
d732ec2
add Document#entity_expansion_text_limit=
naitoh Aug 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
add Document#entity_expansion_text_limit= 
## Why?
See: #192

---------

Co-authored-by: Sutou Kouhei <kou@clear-code.com>
  • Loading branch information
@naitoh @kou
naitoh and kou committed Aug 26, 2024
commit d732ec29e31a4819b88e961b440bf3e0aaaafdbd
5 changes: 3 additions & 2 deletions lib/rexml/attribute.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,8 +148,9 @@ def to_s
# have been expanded to their values
def value
return @unnormalized if @unnormalized
@unnormalized = Text::unnormalize( @normalized, doctype )
@unnormalized

@unnormalized = Text::unnormalize(@normalized, doctype,
entity_expansion_text_limit: @element&.document&.entity_expansion_text_limit)
end

# The normalized value of this attribute. That is, the attribute with
Expand Down
2 changes: 2 additions & 0 deletions lib/rexml/document.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ class Document < Element
def initialize( source = nil, context = {} )
@entity_expansion_count = 0
@entity_expansion_limit = Security.entity_expansion_limit
@entity_expansion_text_limit = Security.entity_expansion_text_limit
super()
@context = context
return if source.nil?
Expand Down Expand Up @@ -433,6 +434,7 @@ def Document::entity_expansion_text_limit

attr_reader :entity_expansion_count
attr_writer :entity_expansion_limit
attr_accessor :entity_expansion_text_limit
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need the reader for this?

Copy link
Contributor Author

@naitoh naitoh Aug 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes
In the following we use reader.


def record_entity_expansion
@entity_expansion_count += 1
Expand Down
7 changes: 5 additions & 2 deletions lib/rexml/entity.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,9 +71,12 @@ def Entity::matches? string
# Evaluates to the unnormalized value of this entity; that is, replacing
# &ent; entities.
def unnormalized
document.record_entity_expansion unless document.nil?
document&.record_entity_expansion

return nil if @value.nil?
@unnormalized = Text::unnormalize(@value, parent)

@unnormalized = Text::unnormalize(@value, parent,
entity_expansion_text_limit: document&.entity_expansion_text_limit)
end

#once :unnormalized
Expand Down
8 changes: 5 additions & 3 deletions lib/rexml/text.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,8 @@ def inspect
# u = Text.new( "sean russell", false, nil, true )
# u.value #-> "sean russell"
def value
@unnormalized ||= Text::unnormalize( @string, doctype )
@unnormalized ||= Text::unnormalize(@string, doctype,
entity_expansion_text_limit: document&.entity_expansion_text_limit)
end

# Sets the contents of this text node. This expects the text to be
Expand Down Expand Up @@ -411,11 +412,12 @@ def Text::normalize( input, doctype=nil, entity_filter=nil )
end

# Unescapes all possible entities
def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil )
def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil, entity_expansion_text_limit: nil )
entity_expansion_text_limit ||= Security.entity_expansion_text_limit
sum = 0
string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
s = Text.expand($&, doctype, filter)
if sum + s.bytesize > Security.entity_expansion_text_limit
if sum + s.bytesize > entity_expansion_text_limit
raise "entity expansion has grown too large"
else
sum += s.bytesize
Expand Down
10 changes: 1 addition & 9 deletions test/test_document.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,6 @@ def test_new
end

class EntityExpansionLimitTest < Test::Unit::TestCase
def setup
@default_entity_expansion_text_limit = REXML::Security.entity_expansion_text_limit
end

def teardown
REXML::Security.entity_expansion_text_limit = @default_entity_expansion_text_limit
end

class GeneralEntityTest < self
def test_have_value
xml = <<XML
Expand Down Expand Up @@ -138,8 +130,8 @@ def test_entity_expansion_text_limit
<member>&a;</member>
XML

REXML::Security.entity_expansion_text_limit = 90
doc = REXML::Document.new(xml)
doc.entity_expansion_text_limit = 90
assert_equal(90, doc.root.children.first.value.bytesize)
end
end
Expand Down